<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Ask Pierre for a copy of his patched 5.02, I bet that will solve
your problem.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 09.24.2014 08:51, John Smith wrote:<br>
</div>
<blockquote
cite="mid:CAMiEuFRUS=DtofSB+5x7Vw_He-Uc6xC9+we0RUOfrWoo2hJaVA@mail.gmail.com"
type="cite">
<div dir="ltr">Anyways I don't know what to say. But adding
dnscache as dependency didn't do anything either. Same issue
service on bootup shows as started but no logs. Restarting it
through Service Control Manager works.
<div><br>
</div>
<div>Automatic (Delayed Start) at least for me works fine. I'll
continue working with that for now...</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 September 2014 14:27, John Smith
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:java.dev.mtl@gmail.com" target="_blank">java.dev.mtl@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Ok when I have a chance I will try dnscache</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 September 2014 14:05,
Pierre DELAAGE <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:delaage.pierre@free.fr"
target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Sorry to
tell but...<br>
<br>
On a windows 7 home machine, with a HOSTNAME in
the stunnel conf, NO DELAY at service startup :<br>
I can start the service, then reboot, <br>
then, at first, my log file is saying ": Error
resolving 'HOSTNAME ': Neither nodename nor
servname known (EAI_NONAME)"<br>
and later, when I try to use the tunnel (and at
that time dns is working), resolving is
working...<br>
<br>
and everything is OK so....<br>
<br>
Even if dns is NOT available at startup, stunnel
504 is able to resolve "later" the remote server
hostname.<br>
<br>
<br>
<br>
2014.09.23 19:23:17 LOG7[2612]: No limit
detected for the number of clients<br>
2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
x86-pc-msvc-1500 platform<br>
2014.09.23 19:23:17 LOG5[2612]: Compiled/running
with OpenSSL 1.0.1i-fips 6 Aug 2014<br>
2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS<br>
2014.09.23 19:23:17 LOG7[2612]: errno:
(*_errno())<br>
2014.09.23 19:23:17 LOG5[2612]: Reading
configuration from file stunnel.conf<br>
2014.09.23 19:23:17 LOG5[2612]: FIPS mode
disabled<br>
2014.09.23 19:23:17 LOG7[2612]: Compression
disabled<br>
2014.09.23 19:23:17 LOG7[2612]: Snagged 64
random bytes from C:/.rnd<br>
2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new
random bytes to C:/.rnd<br>
2014.09.23 19:23:17 LOG7[2612]: PRNG seeded
successfully<br>
2014.09.23 19:23:17 LOG6[2612]: Initializing
service [https]<br>
<br>
2014.09.23 19:23:17 LOG3[2612]: Error resolving
'HOSTNAME ': Neither nodename nor servname known
(EAI_NONAME)<br>
<br>
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve
connect target - delaying DNS lookup<i> (COMMENT
: stunnel is a good fellow !)</i><br>
<br>
2014.09.23 19:23:17 LOG6[2612]: Loading cert
from file:
C:\Users\standard\Documents\Perso\SSL\johndoe.crt<br>
2014.09.23 19:23:18 LOG6[2612]: Loading key from
file:
C:\Users\standard\Documents\Perso\SSL\johndoe.uky<br>
2014.09.23 19:23:18 LOG7[2612]: Private key
check succeeded<br>
2014.09.23 19:23:18 LOG7[2612]: SSL options set:
0x00000004<br>
2014.09.23 19:23:18 LOG5[2612]: Configuration
successful<br>
2014.09.23 19:23:18 LOG7[2612]: Service [https]
(FD=348) bound to <a moz-do-not-send="true"
href="http://127.0.0.1:81" target="_blank">127.0.0.1:81</a><br>
2014.09.23 19:24:32 LOG7[2612]: Service [https]
accepted (FD=208) from <a
moz-do-not-send="true"
href="http://127.0.0.1:49164" target="_blank">127.0.0.1:49164</a><br>
2014.09.23 19:24:32 LOG7[2612]: Creating a new
thread<br>
2014.09.23 19:24:32 LOG7[2612]: New thread
created<br>
2014.09.23 19:24:32 LOG7[588]: Service [https]
started<br>
2014.09.23 19:24:32 LOG5[588]: Service [https]
accepted connection from <a
moz-do-not-send="true"
href="http://127.0.0.1:49164" target="_blank">127.0.0.1:49164</a><br>
2014.09.23 19:24:32 LOG6[588]: s_connect:
connecting XXX.YYY.UUU.III:443<br>
2014.09.23 19:24:32 LOG7[588]: s_connect:
s_poll_wait XXX.YYY.UUU.III:443: waiting 10
seconds<br>
2014.09.23 19:24:32 LOG5[588]: s_connect:
connected XXX.YYY.UUU.III:443<br>
2014.09.23 19:24:32 LOG5[588]: Service [https]
connected remote server from <a
moz-do-not-send="true"
href="http://192.168.3.220:49165"
target="_blank">192.168.3.220:49165</a><br>
2014.09.23 19:24:32 LOG7[588]: Remote socket
(FD=388) initialized<br>
2014.09.23 19:24:32 LOG6[588]: SNI: sending
servername: HOSTNAME<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): before/connect initialization<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv2/v3 write client hello A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 read server hello A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 read server certificate A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 read server certificate request
A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 read server done A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 write client certificate A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 write client key exchange A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 write certificate verify A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 write change cipher spec A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 write finished A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 flush data<br>
2014.09.23 19:24:32 LOG7[588]: SSL state
(connect): SSLv3 read finished A<br>
<br>
So I am sorry to say that I cannot reproduce
that bug.<br>
<br>
Anyway there are many services, on a heavy
loaded machine, that can slow down the service
startup or interfere with file management :<br>
<br>
Antivirus ? try to deactivate it.<br>
Firewall : the same...<br>
any other piece of software that is not
absolutely necessary at boot time.<br>
<br>
Plus : Even if you don't use hostnames in conf
file I suggest that you try "dnscache"
dependency anyway: <br>
because you probably have hostnames in your
certificates.<br>
<br>
Regards<br>
Pierre<br>
<br>
<br>
<br>
<div>Le 23/09/2014 18:05, John Smith a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Network: Ethernet
<div>Multiple routers: No<br>
Firewall: No</div>
<div>Delay: Yes, Automitic (Delayed
Start) works like a charm.</div>
<div>Capi engine: Yes tried turning it
off<br>
32 bit or 64 bit: 32bit running on 64
bit server. I don't see a 64 bit
version on the download page?</div>
<div>dnscache: Haven't tried it yet.</div>
<div><br>
<br>
- stunnel works fine on the server
specifically with the service set to
Automatic (Delayed Start). And I even
tunnel properly to other machines so
it not firewalls or routers or
network.<br>
- Only when it's NOT (Delayed Start)
stunnel doe not seem to start even
though the service shows as started.</div>
<div>- I managed to tunnel from my
Desktop to the Server. I have not
tried automatic service startup on
Desktop because I don't have enough
privilidges. But trying to setup the
server, since that's the machine that
will have stunnel in production.<br>
<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 September
2014 10:04, Pierre DELAAGE <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:delaage.pierre@free.fr"
target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"> Have you tried
to change the service dependency
from "TCPIP" (the default in the
code), to "dnscache" (ok, EVEN if
you do not use hostname
resolution),<br>
this is just to be sure that
stunnel relies on something that
is using tcpip as well.<br>
<br>
question : what kind of network
interface do you have :<br>
<br>
wifi ?<br>
ethernet board ?<br>
<br>
Are you traversing multiple
routers ?<br>
<br>
Are you using multiple firewalls ?<br>
<br>
Have you tuned a delay as
suggested a few days ago ?<br>
<br>
Can you try without specifying
"capi engine" ?<br>
<br>
Are you using stunnel 32 bits or
64 bits : if 64, try the 32
version as well.<br>
<br>
I am reviewing the code and soon
enter some test on w7-32bits.<br>
<br>
Regards<br>
Pierre<br>
<br>
<br>
<br>
<div>Le 23/09/2014 15:30, John
Smith a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">I wish you
were right but
unfortunately it's running
lol</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
22 September 2014 18:24,
Pierre DELAAGE <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:delaage.pierre@free.fr" target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
When you observe
that log is empty
and that "stunnel
shows as started",<br>
do a CTRL ALT DEL to
check if there is
any process called
"stunnel" that is
really running...<br>
<br>
I have a doubt that,
although scm says
stunnel is running,
in fact it is not.<br>
<br>
Regards<br>
Pierre<br>
<br>
<div>Le 22/09/2014
21:43, John Smith
a écrit :<br>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">Hi
I used
administrator
account and
defaults to
install. It is
installed at
Program Files
(x86)
<div><br>
</div>
<div>The
service is set
to run as
local system
account and
interact with
desktop is
checked.</div>
<div><br>
</div>
<div>Once the
machine is
booted...
Login open
service
control panel,
stunnel shows
as started. Go
look at logs
nothing
there... In
service
control panel
hit the
restart
button. And it
comes up
properly.</div>
<div><br>
</div>
<div>My config
is as follows:</div>
<div><br>
</div>
<div>
<div>;
Debugging
stuff (may
useful for
troubleshooting)</div>
<div>;debug =
7</div>
<div>output =
stunnel.log</div>
<div><br>
</div>
<div>;
Initialize
Microsoft
CryptoAPI
interface</div>
<div>engine =
capi</div>
<div>; Also
needs
"engineID =
capi" in each
section using
the CAPI
engine</div>
<div><br>
</div>
<div>[es-tcp]</div>
<div>accept =
${SERVER_IP}:9300</div>
<div>connect =
<a
moz-do-not-send="true"
href="http://127.0.0.1:9300" target="_blank">127.0.0.1:9300</a></div>
<div>cert =
....</div>
<div>CAfile =
....</div>
<div>verify =
2</div>
<div><br>
</div>
<div>[es-http]</div>
<div>accept =
${SERVER_IP}:9200</div>
<div>connect =
<a
moz-do-not-send="true"
href="http://127.0.0.1:9200" target="_blank">127.0.0.1:9200</a></div>
<div>cert =
....</div>
<div>CAfile =
....</div>
<div>verify =
2</div>
<div><br>
</div>
<div>[es-disc-local]</div>
<div>client =
yes</div>
<div>accept =
<a
moz-do-not-send="true"
href="http://127.0.0.1:9700" target="_blank">127.0.0.1:9700</a></div>
<div>connect =
${SERVER_IP}:9300</div>
<div>cert =
....</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
22 September
2014 14:30,
Pierre DELAAGE
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:delaage.pierre@free.fr"
target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF"> Hello,<br>
I can tell my
patch was
adressing read
file error on
conf file, <br>
but,
unfortunately,
not at all
"dependencies
of stunnel
service at
start up",<br>
which is
likely to be
the core pb
preventing
stunnel to
start
correctly at
boot time for
people on that
thread.<br>
<br>
Michal added
explicit
dependencies
at startup,
that is
necessary to
solve that
bug. I did not
check yet its
implementation.<br>
<br>
But maybe some
services,
although
started, are
still "not
ready" when
stunnel
starts, so
that this
makes stunnel
fail.<br>
<br>
I suggest that
stunnel
checks, not
only the
availability,
but also the
"efficiency"
of the DNS
service by
trying to
resolve a well
known server.<br>
it should
retry during,
eg, 3 seconds,
and then stops
with some
reports if
failing to
resolve the
hostname,<br>
either by lack
of network, or
by lack of
answer from
the name
resolver.<br>
But...it seems
that when
having
problems at
startup, it
cannot even
log
anything....maybe
this is due to
the identity
of "system
user" of
stunnel at
that
particular
moment: user
that may have
no right to
write on the
HD.<br>
<br>
People should
check also the
installation
location of
stunnel : it
is supposed
(and have
predefined
shortcuts for
that) to be
installed
PREFERABLY in
"c:\program
files\stunnel".<br>
I recommend to
use that
location.<br>
<br>
They also
should try to
resolve by
hand the
hostnames they
put in their
stunnel conf
file, just to
be sure.<br>
<br>
On some
network or
machines,
maybe there is
a problem with
the firewall
and SOME
services
tunneled by
stunnel on
forbidden
ports.<br>
<br>
On another
hand, it
sounds strange
that just
restarting
stunnel (in
user mode or
service mode
?) is solving
the problem :<br>
this sounds
like
unavailability
of DNS at
startup.<br>
<br>
I did not
investigate
that
particular
problem, but I
will perform
some tests
soon with the
last 504 (or
505).<br>
<br>
Yours
sincerely<br>
Pierre<br>
<br>
<br>
<br>
<div>Le
22/09/2014
19:20, <a
moz-do-not-send="true"
href="mailto:541401@gmail.com" target="_blank">541401@gmail.com</a> a
écrit :<br>
</div>
<div>
<div>
<blockquote
type="cite">
Using Stunnel
on several
Windows Server
2008 R2 SP1
machines (all
such machines
are X64 as the
OS is only
released as
X64).<br>
<br>
During August
of 2014 I
reported in
this forum the
current
version of
Stunnel would
not function
as a service
under the
above OS, even
if using a
delayed start,
it might run
but it would
not work. I
reverted to
using version
4.35, which
did work
properly.<br>
<br>
Pierre DeLagge
was kind
enough to
provide me
with a copy of
his patched
Stunnel 5.02,
which I am
still using
and which is
working
flawlessly on
my production
servers. No
delayed start
required.<br>
<br>
I am wondering
if Pierre's
5.02 patch has
been
incorporated
into the most
recently
released
Stunnel,
5.04? Has
anyone been
successful in
getting the
most current
version to
actually work
under the
above
environment
without
delaying the
start of the
service?<br>
<br>
Just to add a
little color
and background
to the story,
I am using the
native
WS2008R2SP1
SMTP server on
each machine,
in conjunction
with Stunnel,
so as to
forward OS
event
notifications
through a
gmail account.<br>
<br>
<br>
<br>
<div>On
09.22.2014
06:54, John
Smith wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">I
tried 5.04. on
Windows Server
2008 R2
Enterprise
Service Pack 1
x64
<div><br>
</div>
<div><br>
</div>
<div>Same
issue. Service
shows as
started, but
no log. If I
go manual
restart it
works.<br>
<br>
Have to put
delayed
startup.</div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On